Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Carol Woody
December 2014 - Technical Note Predicting Software Assurance Using Quality and Reliability Measures

Topics: Cybersecurity Engineering, Software Assurance, Measurement and Analysis

Authors: Carol Woody, Robert J. Ellison, William Nichols

In this report, the authors discuss how a combination of software development and quality techniques can improve software security.

December 2014 - Technical Note Introduction to the Security Engineering Risk Analysis (SERA) Framework

Topics: Cybersecurity Engineering

Authors: Christopher J. Alberts, Carol Woody, Audrey J. Dorofee

This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.

June 2014 - Podcast Security and Wireless Emergency Alerts

Topics: Cybersecurity Engineering

Authors: Christopher Alberts, Carol Woody, Suzanne Miller

In this podcast Carol Woody and Christopher Alberts discuss guidelines that they developed to ensure that the WEA service remains robust and resilient against cyber attacks.

May 2014 - Book Chapter Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy), Carol Woody

In this book chapter, the authors discuss modern principles of software assurance and identify a number of relevant process models, frameworks, and best practices.

April 2014 - Podcast Best Practices for Trust in the Wireless Emergency Alerts Service

Topics: Pervasive Mobile Computing

Authors: Robert Ellison, Carol Woody, Suzanne Miller

In this podcast, CERT researchers Robert Ellison and Carol Woody discuss research aimed at increasing alert originators' trust in the WEA service and the public's trust in the alerts that they receive.

February 2014 - Special Report Maximizing Trust in the Wireless Emergency Alerts (WEA) Service

Topics: Measurement and Analysis

Authors: Carol Woody, Robert J. Ellison

This report presents recommendations for stakeholders of the Wireless Emergency Alerts (WEA) service that resulted from the development of two trust models, focusing on how to increase both alert originators’ and the public’s trust in WEA.

February 2014 - Special Report Best Practices in Wireless Emergency Alerts

Topics: Cyber Risk and Resilience Management

Authors: John McGregor, Joseph P. Elm, Elizabeth Trocki Stark (SRA International, Inc.), Jennifer Lavan (SRA International, Inc.), Rita C. Creel, Christopher J. Alberts, Carol Woody, Robert J. Ellison, Tamara Marshall-Keim

This report presents four best practices for the Wireless Emergency Alerts (WEA) service, including implementing WEA in a local jurisdiction, training emergency staff in using WEA, cross-jurisdictional governance of WEA, and cybersecurity risk management.

December 2013 - White Paper Foundations for Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody, Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy)

In this paper, the authors highlight efforts to address the principles of software assurance and its educational curriculum.

November 2013 - White Paper Agile Security - Review of Current Research and Pilot Usage

Topics: Acquisition Support

Authors: Carol Woody

This white paper was produced to focus attention on the opportunities and challenges for embedding information assurance considerations into Agile development and acquisition.

July 2013 - White Paper Strengthening Ties Between Process and Security

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody

In this paper, Carol Woody summarizes recent key accomplishments, including harmonizing security practices with CMMI and using assurance cases.

July 2013 - White Paper Improving Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody, Robert J. Ellison

In this paper, the authors discuss what practitioners should know about software assurance, where to look, what to look for, and how to demonstrate improvement.

July 2013 - White Paper Scale: System Development Challenges

Authors: Carol Woody, Robert J. Ellison

In this paper, the authors describe software assurance challenges inherent in networked systems development and propose a solution.

July 2013 - White Paper Supply-Chain Risk Management: Incorporating Security into Software Development

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody, Robert J. Ellison

In this paper, the authors describe practices that address defects and mechanisms for introducing these practices into the acquisition lifecycle.

May 2013 - White Paper Strengths in Security Solutions

Topics: Cybersecurity Engineering, Secure Coding

Authors: Arjuna Shunn (Microsoft), Carol Woody, Robert C. Seacord, Allen D. Householder

In this white paper, the authors map eight CERT tools, services, and processes to Microsoft's Simplified Security Development Lifecycle.

May 2013 - White Paper A Systemic Approach for Assessing Software Supply-Chain Risk

Topics: Acquisition Support, Cybersecurity Engineering, Software Assurance

Authors: Audrey J. Dorofee, Carol Woody, Christopher J. Alberts, Rita C. Creel, Robert J. Ellison

In this paper, the authors highlight the approach being implemented by SEI researchers and provides a summary of the status of this work.

May 2013 - White Paper Foundations for Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody, Dan Shoemaker (University of Detroit Mercy), Nancy R. Mead

In this paper, the authors highlight efforts underway to address our society’s growing dependence on software and the need for effective software assurance.

January 2013 - Article Guest Editorial Preface for 2013 Special Issue of the International Journal of Secure Software Engineering

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Ivan Flechais (University of Oxford), Dan Shoemaker (University of Detroit Mercy), Carol Woody

In this preface, the guest editors of this special edition provide a context for the articles that comprise the issue.

January 2013 - Book Chapter Principles and Measurement Models for Software Assurance

Topics: Cybersecurity Engineering, Measurement and Analysis, Software Assurance

Authors: Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy), Carol Woody

In this book chapter, the authors present a measurement model with seven principles that capture the fundamental managerial and technical concerns of development and sustainment.

November 2012 - Technical Note DoD Information Assurance and Agile: Challenges and Recommendations Gathered Through Interviews with Agile Program Managers and DoD Accreditation Reviewers

Topics: Acquisition Support

Authors: Stephany Bellomo, Carol Woody

This paper discusses the natural tension between rapid fielding and response to change (characterized as agility) and DoD information assurance policy. Data for the paper was gathered through interviews with DoD project managers and IA representatives.

June 2012 - White Paper Introduction to System Strategies

Authors: Robert J. Ellison, Carol Woody

In this paper, the authors discuss the effects of the changing operational environment on the development of secure systems.

September 2011 - CERT Research Report Supply Chain Assurance Overview

Topics: Cybersecurity Engineering

Authors: Robert J. Ellison, Christopher J. Alberts, Rita C. Creel, Audrey J. Dorofee, Carol Woody

In this section of the research report, the authors attempt to integrate development and acquisition practices with risk-based evaluations and mitigations.

December 2010 - Technical Note Software Supply Chain Risk Management: From Products to Systems of Systems

Topics: Cybersecurity Engineering

Authors: Robert J. Ellison, Christopher J. Alberts, Rita C. Creel, Audrey J. Dorofee, Carol Woody

In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices.

August 2010 - Technical Report A Framework for Modeling the Software Assurance Ecosystem: Insights from the Software Assurance Landscape Project

Topics: Software Assurance, Cybersecurity Engineering

Authors: Lisa Brownsword, Carol Woody, Christopher J. Alberts, Andrew P. Moore

In this report, the authors describe the SEI Assurance Modeling Framework, piloting to prove its value, and insights gained from that piloting.

June 2010 - Technical Note Survivability Analysis Framework

Topics: Cybersecurity Engineering

Authors: Robert J. Ellison, Carol Woody

In this report, the authors describe the Survivability Analysis Framework, which is used to evaluate critical operational capabilities.

May 2010 - Webinar Engineering Improvement in Software Assurance: A Landscape Framework

Topics: Cybersecurity Engineering, Software Assurance

Authors: Lisa Brownsword, Carol Woody

In this 2010 webinar, Carol Woody describes and presents a pilot of the Assurance Modeling Framework, and discusses insights gained from its application.

May 2010 - Technical Note Evaluating and Mitigating Software Supply Chain Security Risks

Topics: Software Assurance

Authors: Robert J. Ellison, John B. Goodenough, Charles B. Weinstock, Carol Woody

In this 2010 report, the authors identify software supply chain security risks and specify evidence to gather to determine if these risks have been mitigated.

March 2010 - White Paper Cyber Assurance

Authors: Christopher J. Alberts, Robert J. Ellison, Carol Woody

This paper, extracted from the 2009 CERT Research Report, describes planned research tasks in the field of cyber assurance.

October 2009 - Webinar The Survivability Analysis Framework

Topics: Cybersecurity Engineering

Authors: Robert J. Ellison, Carol Woody

In this October 2009 webinar, Robert Ellison and Carol Woody present the Survivability Analysis Framework.

February 2009 - Special Report Multi-View Decision Making (MVDM) Workshop

Topics: Acquisition Support, Cybersecurity Engineering, Risk and Opportunity Management, System of Systems, Software Assurance

Authors: Christopher J. Alberts, James Smith, Carol Woody

In this report, the authors describe the value of multi-view decision making, a set of practices that reflect the realities of complex development efforts.

May 2008 - Technical Report Survivability Assurance for System of Systems

Topics: Cybersecurity Engineering, Software Assurance

Authors: Robert J. Ellison, John B. Goodenough, Charles B. Weinstock, Carol Woody

In this report, the authors describe the Survivability Analysis Framework, a structured view of people, process, and technology.

September 2007 - Technical Note Process Improvement Should Link to Security: SEPG 2007 Security Track Recap

Topics: Cyber Risk and Resilience Management

Authors: Carol Woody

In this document, Carol Woody summarizes the content shared at the 2007 SEPG conference and steps underway toward ties between security and process improvement.

July 2007 - White Paper System Strategies References

Topics: Cybersecurity Engineering, Software Assurance

Authors: Robert J. Ellison, Carol Woody

In this paper, the authors provide references related to system strategies.

January 2007 - Article Considering Operational Security Risk During System Development

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody, Christopher J. Alberts

In this article, the authors examine OCTAVE, an operational security-risk methodology, and apply it to security-related risks during system development.

May 2006 - Technical Note Sustaining Software-Intensive Systems

Topics: Acquisition Support

Authors: Mary Ann Lapham, Carol Woody

This 2006 report discusses questions about sustaining new and legacy systems; the report presents definitions, related issues, future considerations, and recommendations for sustaining software-intensive systems.

May 2006 - Technical Note Applying OCTAVE: Practitioners Report

Topics: Cyber Risk and Resilience Management

Authors: Carol Woody, Johnathan Coleman (No Affiliation), Michael Fancher (No Affiliation), Carol Myers (No Affiliation), Lisa R. Young

In this report, the authors describe how OCTAVE has been used and tailored to fit a wide range of organizational risk assessment needs.

December 2005 - Handbook Software Acquisition Planning Guidelines

Topics: Acquisition Support

Authors: William E. Novak, Julie B. Cohen, Anthony J. Lattanze, Linda Levine, Patrick R. Place, Ray C. Williams, Carol Woody

This 2005 handbook presents guidance for acquisition planning and strategy topics in a condensed form, and references the primary resources available for each topic.

March 2005 - Technical Note Eliciting and Analyzing Quality Requirements: Management Influences on Software Quality Requirements

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody

In this 2005 report, Carol Woody documents how environments for system development can support or reject improved quality requirements elicitation mechanisms.

January 2005 - Handbook OCTAVE-S Implementation Guide, Version 1

Topics: Cyber Risk and Resilience Management

Authors: Cecilia Albert, Audrey J. Dorofee, James F. Stevens, Carol Woody

In this 2005 handbook, the authors provide detailed guidelines for conducting an OCTAVE-S evaluation.

August 2003 - User's Guide Introduction to the OCTAVE Approach

Topics: Cyber Risk and Resilience Management

Authors: Christopher J. Alberts, Audrey J. Dorofee, James F. Stevens, Carol Woody

In this 2003 report, the authors describe the OCTAVE method, an approach for managing information security risks.